Abusive data access request
The EU Court of Justice ruled that even a first personal data access request may be deemed abusive under the GDPR if it is made solely to generate compensation claims, allowing controllers to refuse such requests. An individual residing in Austria subscribed to the newsletter of a family-run optician company in Germany by entering his personal data in the registration form available on the company’s website.
Thirteen days later, he sent a request for access under Article 15 of the GDPR. The company refused the request, considering it to be abusive. According to various reports and blog articles, the individual systematically subscribes to newsletters of various companies before submitting an access request and then a compensation claim. The individual maintained that his access request was legitimate and claimed compensation of at least 1,000 euros.
Stay up to date! Sign up to receive our fortnightly digest via email.
Main developments
Protecting children online: On 3 April, the Regulation on the Extension of Derogation from the ePrivacy Directive for the purpose of identifying Child Sexual Abuse Material (CSAM) online expired, digitalpolicyalert.org reports. The extension concerns an exemption from data protection regulations, which grants hundreds of providers offering number-independent interpersonal communication services, such as messaging services, the authority to use technologies for processing personal and other data to identify, report, and remove instances of online child sexual abuse on their platforms. In addition, providers must ensure that information regarding reports of detected online child sexual abuse submitted to authorities and the Commission is accessible in a structured format.
‘Legitimate interests’ analysis: The EDPB has published a One-Stop-Shop case digest on the legal basis of “legitimate interest”. It provides useful examples of how regulators analyse controllers’ reliance on this legal basis in specific contexts, providing positive and negative compliance examples. In particular, it explains and summarises how regulators apply the three-step test to assess whether a controller can lawfully rely on legitimate interests. Relevant cases before the CJEU and national courts are also mentioned.
Back up!
On World Backup Day, 31 March, the German Federal Office for Information Security (BSI) called on consumers to back up important data. Data backup is not a complicated process: most operating systems guide users through the process. Nonetheless, only one-fifth of internet users regularly create backups. Backups can be performed in the cloud or on a physical storage medium, such as an external hard drive.
Those who opt for a physical storage medium should keep it in a different location than, for example, the source computer for the data being backed up.
Human resources management
The CNIL has published a reference framework (in French) to help data controllers identify retention periods for their personnel management activities. This document is particularly useful for data protection officers, GDPR referents, but also for staff working in human resources departments or for the information systems department. This repository is organised by processing activities and includes:
- recruitment;
- administrative management of personnel;
- compensation management;
- the security of goods and people;
- the management of professional vehicles;
- listening to and recording telephone conversations in the workplace;
- the management of collective labour relations;
- the management of occupational accidents;
- the management of litigation and pre-litigation;
- the management of Whistleblowing.
More official guidance
Cookies user guide: The Swiss regulator, FDPIC, has published a factsheet on the use of cookies (in English) that explains how users can retain control over their own data and minimise the digital footprint they leave behind while browsing. Although cookies and similar technologies can enhance the online browsing experience, for example, by saving the contents of a shopping basket or certain preferences, they can also enable third parties to track users’ online activities.
AI red lines: The Future of Privacy Forum continues its series of publications on Red Lines under the EU AI Act. This time, it pays attention to the prohibition on biometric categorisation for “certain sensitive characteristics” to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, etc. The risks associated with biometric categorisation also reflect broader concerns under EU data protection legislation, as sensitive characteristics may themselves constitute special categories of personal data under the GDPR.
Previous analysis by FPF also looked at prohibition and emotion recognition in the workplace and educational institutions.
Health data in the cloud: More and more organisations are using cloud solutions for processing health data. The Dutch data protection authority AP has therefore published an updated and broadened version of AP’s practice guide on patient data in the cloud. The practice guide now focuses not only on patient data within the treatment relationship, but on health data in a broader sense.
In other news
Police biometric data: A police authority may,in a criminal investigation, collect biometric data solely because the collection is strictly necessary. The Maltese data protection agency looked at a recent ruling by the CJEU, which stated that the gathering of identification data may not be required systematically and clear reasons must be given for it, failing which the criminal penalty laid down for refusing to consent to that gathering will be invalid.
In a related case, a person was detained in Paris for organising a demonstration without prior notice and for disobedience. While he was in police custody, he refused to consent to the gathering of identification data (fingerprints and photo). That refusal resulted in his being charged, even though he was acquitted of the offence forming the basis of the envisaged gathering of identification data.
Credit information checks should be free of charge: The Finnish data protection ombudsman considers that the regular practice of the credit information company Dun&Bradstreet, in which a person has only been able to check their own credit information once a year, free of charge, is not in accordance with data protection legislation. Customers had been regularly charged a fee if they had requested information more than once within a year. The company also had shortcomings in responding to requests for personal data.
According to the law, a fee can only be charged in situations where the request is manifestly unfounded or unreasonable, for example, if the same information is requested repeatedly.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
More enforcement decisions
OKCupid data sharing: In the US, the Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations that it deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises. OkCupid provided the third party with access to nearly three million OkCupid user photos as well as location and other information without placing any formal or contractual restrictions on how the information could be used.
The FTC also alleged that, since September 2014, Match and OkCupid took extensive steps to conceal their wrongdoing, including by trying to obstruct the FTC’s investigation.
Unauthorised access to banking information: The Italian data protection authority Garante has fined Intesa Sanpaolo 31.8 million euros for serious shortcomings in personal data security. The investigation found that an employee accessed, without justification, the banking information of 3,573 customers, making over 6,600 inquiries between February 21, 2022, and April 24, 2024. These unauthorised accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms.
And Finally
Wearables: The Swiss FDPIC has published practical advice on smartwatches and fitness trackers, which monitor your physical activity and bodily functions, and are now widely used. Smart glasses, which make it easy to take and share photos and videos, are also gaining in popularity. As all these body-worn devices pose a particular threat to privacy, users should exercise particular caution when using them.
Before making their choice, buyers should check how the manufacturer has configured it and whether the product allows for privacy-friendly settings, where collected data is stored, and whether the processing of such data is comprehensible overall.
Fraudulent websites: Reportedly, phishing remains one of the largest forms of online crime. To better protect internet users against this, several Dutch public and private parties have jointly tested a new approach. The so-called Anti Phishing Shield demonstrates that the approach works: since the start of the pilot in July 2025, over two million attempts to visit phishing and fraudulent websites have been blocked among a group of over 200,000 users. Internet providers can easily connect to the tool and use it to protect their customers. And users must give their prior explicit consent via a so-called ‘opt-in’.
Read the original publication to see how the Anti Phishing Shield works.